isa U.S.A. calls it network segmentation: splitting a network into functional pieces and placing access-control mechanisms between each boundary. This practice is crucial to securing POS systems that process transactions and transfer data, particularly over Internet protocol (IP) networks.

Visa continues to receive reports of vulnerabilities in the industry. In response, it issued a security alert Oct. 31 advising merchants to put proper network controls in place.

Payment card account information has been compromised at merchant locations lacking proper network segmentation, Visa reported. "This attack method originates on the Internet, results in penetration of the merchant's point of sale system, and often results in costly remediation efforts and increased fraud attacks," the alert stated.

Such compromises can be prevented if merchant networks are segmented. This practice limits potential intruders to the nonsensitive parts of the POS network that do not contain payment card information.

The most common example of network segmentation is the separation between the Internet and an internal network by using a firewall or router.

Merchants should be reminded that introducing e-mail and Web browsing to their POS networks opens an avenue of attack. A malicious e-mail attachment or Web page can introduce viruses, spyware and malware to the internal network.

Once such harmful software is in the door, the internal, trusted network allows uninhibited access to all devices on the network, putting card data at risk.

To safeguard a POS system and to comply with the Payment Card Industry (PCI) Data Security Standard, Visa recommends:

• Separating user environments from business systems with a firewall. For example, an e-mail system used by employees should be separate from the transaction processing system.
  
• Configuring the firewall to permit access to the processing system only by parties participating in the transaction flow. And limiting the permissible host connections to the Wi-Fi access point by specifying individual MAC (media access control) or IP addresses.
  
• Limiting system access to only those network ports that are necessary to perform business functions.
  
• Applying access controls to both inbound and outbound network traffic.
  
• Using a virtual private network or secure sockets layer (encrypted) connection between systems processing transaction and other sensitive data, whenever possible. Connections using encryption ensure the confidentiality and integrity of the information by protecting it against eavesdropping.
  
• Implementing a switched network: Switches handle network traffic in a manner that is more resistant to eavesdropping.
  
• Enabling logging and exception alerting on all network devices and business systems, where possible. Log files should be protected from tampering. (Event logging is an essential tool in analyzing the state of a POS network. It can identify and scope potential intrusions, according to Visa.)

For more guidance from Visa on protecting cardholder information, visit http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html